WordPress is one of the most ubiquitous web content management systems on the planet. With about 75,000,000 installs worldwide, it is one of the most common website platforms for organizations of all sizes. Nearly everybody has a WordPress site these days. With its impressive collection of functional plugins, easy-to-manage web pages, readily available themes, and a large development community, almost anyone can set-up and run a website with minimal effort. But, there are pitfalls to setting up something so simple. Given the tendency of most website operators to do a basic set up, it is no wonder that WordPress is probably one of the most targeted platforms for hackers.
The following tips will help you to armor plate your WordPress website and is a precursor to our two May events related to data security. The following assumes that you have some knowledge of setting up and administering a WordPress site and plug-ins.
1. Change the Default Admin Username - By default, many WordPress installations are set up with the "Admin" username. Instead, create a different username as your administrative account. Some hosting providers actually allow you to set the admin username when first setting up the software.
2. Change the Default Admin Login URL - A standard WordPress installation will have a standard admin login URL, such as yoursite.org/wp-login.php or yoursite.org/wp-admin/. You can get a plugin that lets you change where that default login URL is located.
3. Limit Login Attempts - Brute force attackers will try thousands of combinations of usernames and passwords until they find something that works. You can guard against this attack method by limiting Login attempts to three. After the third attempt, that computer is locked out. You will need to install a plugin
4. Use Secure Socket Layers - Also known as SSL, this is a must do in today's Internet environment, particularly with WordPress. SSL essentially encrypts text so that if it is intercepted during transmission from one location on the web to another, it will be unreadable by those who do the intercepting.
5. Monitor Login and other Activities - Plugins like Wordfence will allow you to add an extra layer of awareness to your site. The plugin will inform an administrator when another administrator logs in, what suspect traffic is being sent to your website, and more.
6. Consider Two-Factor Authentication - To be extra cautious, you may want to consider implementing two-factor authentication. Basically, your username and passwords alone may not be enough to protect a site. You can add an additional PIN code requirement that gets texted to you during the login process. Upon entering the PIN code, you're then allowed to login.
7. Perform Routine Scans of your Website Folders - Many times, a hacker will post malicious pages or programs in deeper parts of your website that may be unprotected. You'll want to be sure to perform routine monitoring scans of your site's structure to compare it to a normal WordPress website structure. There are a few plugins that let you do so, such as Wordfence. Also, be sure that you set the permissions of the directories to prohibit unauthorized access. All directories should be "755" instead of "777." You may need to talk to your IT department about this one...
8. Keep Everything Up-To-Date - Many vulnerabilities occur as a result of having outdated software and plug-ins. Be sure to update to the latest version of the core software (although you may not want to update a beta version), themes, and any plugins. To be sure, you may want to have a second test version of your site that is hidden from view in order to test updates before applying them to a live website.
9. Keep Your Site Backed Up - Even with all of the precautions mentioned above, sometimes hackers still find their way in, or they may have done something to corrupt files so that the files themselves become damaged. In those cases, you will need to be able to go back in time to restore files or databases that are considered clean. Having a good hosting partner that provides ample backup and restoration services is extremely valuable.
10. Don't Share Passwords with Others - No explanation needed! And be sure to keep them set to Strong. While annoying to have to come up with a Strong password, better safe than sorry.
11. Hide Your WordPress Version - If hackers know what version of WordPress you are using, they can exploit known vulnerabilities of those versions. You can get a plugin to hide your WordPress version. Wordfence has a feature that allows you to do so. Some pros also advise hiding that you are using WordPress altogether. However, occasionally, there are issues with that during upgrades and enhancements. Oh, and remove the line in the footer that says "Proudly Powered by WordPress."
These tips are just the tip of the iceberg. For more about armor plating your WordPress site, be sure to sign up for our Tech SIG "People Love WordPress and So Do Hackers" online interest group taking place on Wednesday, May 31 at noon.